I use Private Internet Access as my VPN service. Before I had a 440, I was using another vendor and I would place OpenWRT behind it to host VPN services and just run them through my main firewall.
Now that I have a 440, I would like to know if it’s possible to use my VPN service directly on the 440. Otherwise, I guess I go back to having OpenWRT behind the 440 again to run the VPN service through it.
PA does not support OpenVPN or Wireguard etc, so you will need something behind the PA. I do similar with a 2nd gateway on my LAN for anything to route out the VPN, the 2nd gateway is running on PfSense.
Not sure if you mean an external IPSec service or a VPN connection from elsewhere to your home, but both are supported. IPSec guides are the ones you should look for in the first case, Global Protect Portal + Gateway guides are for the remote access option.
PIA VPN, so we’re just talking about some commercial-grade VPN (such as NordVPN). And you want to configure the 440 as a client. First of all, there are zero benefits to using commercial-grade VPN other than location spoofing. Obviously, enterprise-grade firewalls are never going to support that because it’s pointless. You do see this on routers such as Synology, but again that’s a consumer-grade router.
You can put such a router in front of the PA-440, but what’s the point? But if you’re planning to run OpenWRT behind the PA-440, then I’m lost.
Like others have said, Palo doesent support it and you will need to do it behind the palo and just allow it through. I assume what you are wanting to do is to have all traffic or subset of traffic leave over VPN?
I use it for making sure all my outbound traffic is encrypted to a location spoofed endpoint. Why? I’ve read plenty of stories about ISP’s snooping customers traffic. Also, I get on IRC a lot and would rather not hand-over an IP there as it’s a good place to attract attention.
It would appear a number of people do this in the replies above. But you’re saying zero benefits and no longer worth it? I’d like to hear more.
Not necessarily. Some VPN providers provide an option for IPSEC. So you should be able to create a tunnel from PA device to the provider. I would think you could route certain sites over this tunnel then all other traffic out the normal wan.
edit: pretty sure you don’t want ALL traffic to go through the VPN, but its possible I would think.
So you trust a random ISP somewhere else? Your ISP isn’t snooping shit, as soon as your traffic hits the internet it doesent matter where that happens. PIA and the like are a scam for 99% of people. You’re paying to slow down your own internet for zero added protection.
It would appear a number of people do this in the replies above. But you’re saying zero benefits and no longer worth it? I’d like to hear more.
GlobalProtect and IPSec, yes. But not for the reasons you think.
The tunnel is only active between two peers, e.g. you and the VPN provider. There’s no tunnel between the VPN provider and the website you are visiting.
Hosting your own VPN server (eg GlobalProtect) in your own local network, won’t encrypt outbound traffic that’s going out to an external website such as google. Unsecure protocols such as telnet remain in cleartext. Only traffic between you and GlobalProtect is encrypted.
Most traffic is encrypted nowadays, https etc. so VPN’s aren’t needed. Your ISP has no view on https traffic at all. They can see the website you visited because of IP addresses, but they cannot see the content at all.
You shouldn’t use non-encrypted protocols. VPN’s don’t solve this matter unless it’s specifically used between two peers. And in your case, it’s not.
VPN’s in enterprise environments are used specifically for two reasons: site-to-site and remote access tunnels. The latter being used to access the enterprise network remotely and in PANOS it’s GlobalProtect.
Commercial-grade VPN’s are making money off people’s ignorance who do not understand how VPN works.
A VPN wouldn’t “secure” your outbound traffic. It’s a secure way to connect “TO” something. But if your talking about just browsing the internet, then a VPN won’t do anything for you.
I guess I’m not getting something here. If I browse/connect to a website, then:
- my location is spoofed to the websites logs.
- my outbound request is secure only till the exit point.
- and the return traffic is secure from the exit point back to me.
The way your using “secure” is debatable. In essence, your just changing the public IP, (also the geo location), that you appear to be sourcing traffic from. Which it sounds like you get that. But your still routing your traffic through a 3rd party, which is the vpn provider, so your shifting your “trust” around.
You are just rerouting the traffic. You can’t quantify if your traffic leaving the VPN provider is more secure then the traffic leaving your house. Sure, the traffic from your house TO the VPN provider is in an encrypted tunnel. But who cares- the traffic is still ultimately destined for random web servers. You won’t be able to get around that logistic.
The real advantage of using popular marketed “VPNs” is web servers won’t know your homes public IP. If that’s of value to you then you can accomplish that with a VPN service. This still all assumes you trust your VPN provider.